Splunk Enterprise Security

  • Splunk Enterprise Security should be on the search head. You will need one dedicated server to be the search head.
  • Domain add-ons, Support add-ons, and other (TA) add-ons are installed on the search head.
  • ES increases indexer load and search load. The number of indexers required depends on:
  • Types and amounts of data being used by ES
  • Number of active correlation searches
  • Number of real-time correlation searches.
  • Splunk best practice and guidelines ( retention time and access control ) when setting up multiple index for ES)
  1. Determine size and scope of install
  2. Based on requirements, set up and deploy all needed ES add-ons and apps to indexers, search head, and forwarders
  3. Run Enterprise Security install on the search head
  4. Enable all data inputs on the forwarders

Storage Volume Requirements for SPLUNK ENTERPRISE SECURITY.

Indexed data sizing:

(Daily raw input volume) / 2 x (days to retain data)   +      

 

  Accelerated data model storage: ( Daily raw input volume) x 3.4

 

Inputting 200 GB per day, retention period three months

  • 200 GB / 2 x 90 days     =   9,000 GB or 9 TB
  • 200 GB * 3.4                =   680 GB
  • Total Storage                  = 9,680 GB or 9.68 TB.

 

Deployment Server

The typical size and complex nature of an ES install requires a centralized configuration management service such as deployment server

Deployment server must be installed on a separate system

 

ES Hardware Recommendations

Depends on your actual data input and number of ES users:

http;//docs.splunk.com/Documentation/ES/latest/Install/DeploymentPlanning

Splunk Enterprise Security requires minimum hardware specifications that you increase according to your needs and usage of Splunk Enterprise Security.

Machine role Minimum CPU Minimum RAM
Search head 16 cores 32 GB
Indexer 16 cores 32 GB

 

Splunk Enterprise Security supports installation on Linux-based search head clusters only.

Search head scaling considerations for Splunk Enterprise Security

Factor Increase this specification

 

A large number of concurrent searches Increase CPU cores

Increase RAM

A high number of real-time searches being run

A large number of users logging in at the same time

Increase CPU cores

 

A large number of enabled correlation searches Increase RAM
Large asset and identity lookup files Increase RAM

 

Indexer scaling considerations for Splunk Enterprise Security

Increase the number of indexers in your deployment to scale with increases in search load and search concurrency. Because a collection of indexers can serve more than one search head, additional search heads using the same indexers as a search head hosting Enterprise Security can affect the total performance of your indexer tier and reduce the resources available to Enterprise Security.

 

Based on a common scenario with a mix of data model data, this test showed that each indexer sustained a 100GB per day data ingestion rate with low latency in data model accelerations and UI responsiveness.

Mix of data model data test

Depending on the data mix, the scaling volume can range from 40GB to 100GB per indexer, otherwise the data model accelerations lag behind the data ingestion. Based on a common scenario with a mix of data model data, this test showed that each indexer sustained a 100GB per day data ingestion rate with low latency in data model accelerations and UI responsiveness.

Data types A selection of data sources with varying ratios where ingested and accelerated across 4 data model

 

·       Web: 65 % of all data

·       Network Traffic: 25% of all data

·       Change Analysis: 1% of all data

·       Authentication: 1 % of all data with any remaining percentage not applicable to any data model

 

Search Load 60 correlation searches were enabled. No additional user load was added.

 

Scaling results: Data Volume

 

100 300 500 800 1000
Scaling result: Indexer count

 

1 3 5 8 10

 

One data model

Based on a scenario where the only data in Enterprise Security was one data model with high cardinality or very unique data, this test showed that each indexer sustained a 40GB per day data ingestion rate with low latency for the data model acceleration and UI responsiveness.

Data types Ingest and accelerate data in the Network Traffic data model only.

 

Search Load 60 correlation searches were enabled. No additional user load was added.

 

Scaling results: Data Volume

 

40 120 200 320 400
Scaling result: Indexer count

 

1 3 5 8 10

 

Virtualized hardware

If you install Splunk Enterprise Security in a virtualized environment, you need the same memory and CPU allocation as a non-virtualized bare-metal environment.

  • Reserve all CPU and memory resources.
  • Do not oversubscribe hardware.
  • Test the storage IOPS across all Splunk platform indexer nodes simultaneously to ensure that the IOPS match the reference hardware specification used in your environment.
  • Insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.